Skynet Skynet - Router Firewall & Security Enhancements

[Twiglets]

I've pushed v6.6.0

Validate domains in various functions
Consolidate swap validation code
Fix list names not showing in stats
Allow IPSet v7
General code cleanup
Add activity indicator
Rewrite stats function

The major visual change here being the new stats function output, it is significiantly improved and now neatly formatted. There is also an activity inidicator so you know Skynet is still working in the background.

Thank you, love the activity indicator
Very useful as I have a window open with Option 12 / 1 running.

Thanks for the continued evolution of Skynet, very useful.

 

[skeal]

Nice new additions @Adamm

 

[daviworld]

I always look forward to your updates the most Adamm hahaha, awesome addition as always

 

[hw1380]

Just updated to version 6.6.0.
However, I get a lot of grep errors in menu 13/1/1/1 like this:

grep: /tmp/skynet/skynetstats.txt: No such file or directory

I did a find but that file doesn't exists at all.

 

[skeal]

Nice new additions @Adamm

Woohoo 2000 messages achievement....LOL

 

[martinr]

Woohoo 2000 messages achievement....LOL

Congratulations. Much better than a knighthood.

 

[cutidudz]

Probably a stupid question as the script automates the process, but does running the following command first resolve the error?

modprobe xt_set

If not, please post the output of the following;

lsmod

Uninstalled and reinstalled Skynet v6.6.0.

Admin@RT-AX88U-76E8:/tmp/home/root# sh /jffs/scripts/firewall debug info extended
#############################################################################################################
#                                _____ _                     _             __                               #
#                               / ____| |                   | |           / /                               #
#                              | (___ | | ___   _ _ __   ___| |_  __   __/ /_                               #
#                               \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \                              #
#                               ____) |   <| |_| | | | |  __/ |_   \ V /| (_) |                             #
#                              |_____/|_|\_\\__, |_| |_|\___|\__|   \_/  \___/                              #
#                                            __/ |                                                          #
#                                           |___/                                                           #
#                                                                                                           #
## - 15/11/2018 -                  Asus Firewall Addition By Adamm v6.6.0                                   #
##                                 https://github.com/Adamm00/IPSet_ASUS                                    #
#############################################################################################################


Router Model; RT-AX88U
Skynet Version; v6.6.0 (15/11/2018)
iptables v1.4.15 - (ppp0 @ 192.168.2.100)
ipset v6.32, protocol version: 6
FW Version; 384.8_alpha3-g6261ef60f (Nov 11 2018) (4.1.51)
Install Dir; /tmp/mnt/entware/skynet (1.5G / 3.8G Space Available)
SWAP File; /tmp/mnt/entware/myswap.swp (2.0G)
Boot Args; /jffs/scripts/firewall start skynetloc=/tmp/mnt/entware/skynet
No Lock File Found

[i] Checking Internet Connectivity...                   [Passed]
[i] Checking Install Directory Write Permissions...     [Passed]
[i] Checking Firewall-Start Entry...                    [Passed]
[i] Checking Services-Stop Entry...                     [Passed]
[i] Checking CronJobs...                                [Passed]
[i] Checking IPSet Comment Support...                   [Passed]
[i] Checking Log Level 5 Settings...                    [Passed]
[i] Checking For Duplicate Rules In RAW...              [Passed]
[i] Checking Inbound Filter Rules...                    [Failed]
[i] Checking Inbound Debug Rules                        [Failed]
[i] Checking Outbound Filter Rules...                   [Failed]
[i] Checking Outbound Debug Rules                       [Failed]
[i] Checking Whitelist IPSet...                         [Passed]
[i] Checking BlockedRanges IPSet...                     [Passed]
[i] Checking Blacklist IPSet...                         [Passed]
[i] Checking Skynet IPSet...                            [Passed]
[i] Checking For Diversion Plus Content...              [Dismissed]

[i] Checking Autoupdate Setting...                      [Enabled]
[i] Checking Auto-Banmalware Update Setting...          [Enabled]
[i] Checking Debug Mode Setting...                      [Enabled]
[i] Checking Filter Traffic Setting...                  [Enabled]
[i] Checking Unban PrivateIP Setting...                 [Enabled]
[i] Checking Log Invalid Setting...                     [Disabled]
[i] Checking Ban AiProtect Setting...                   [Enabled]
[i] Checking Secure Mode Setting...                     [Enabled]
[i] Checking Fast Switch Setting...                     [Disabled]

13/17 Tests Sucessful.


################################################
## Generated By Skynet - Do Not Manually Edit ##
## Nov 16 08:27:07 ##

## Installer ##
model="RT-AX88U"
localver="v6.6.0"
autoupdate="enabled"
banmalwareupdate="daily"
forcebanmalwareupdate="true"
debugmode="enabled"
filtertraffic="all"
swaplocation="/tmp/mnt/entware/myswap.swp"
swappartition=""

## Other ##
blacklist1count=""
blacklist2count=""
customlisturl=""
customlist2url=""
countrylist=""
excludelists=""

## Settings ##
unbanprivateip="enabled"
loginvalid="disabled"
banaiprotect="enabled"
securemode="enabled"
extendedstats="enabled"
fastswitch="disabled"

################################################


[#] 0 IPs (+0) -- 0 Ranges Banned (+0) ||  Inbound --  Outbound Connections Blocked! [debug] [0s]

Admin@RT-AX88U-76E8:/tmp/home/root# iptables -t raw -I PREROUTING -i br0 -m set ! --match-set Skynet-Whitelist dst -m set --match-set Skynet-Master dst -j DROP
iptables: No chain/target/match by that name.
Admin@RT-AX88U-76E8:/tmp/home/root# modprobe xt_set
modprobe: module xt_set not found in modules.dep
Admin@RT-AX88U-76E8:/tmp/home/root# lsmod
Module                  Size  Used by    Tainted: P
ip_set_list_set         8149  1
ip_set_hash_ip         20359  1
ip_set_hash_net        24466  2
ip_set                 28899  3 ip_set_list_set,ip_set_hash_ip,ip_set_hash_net
nfsd                   95365 11
lockd                  69440  1 nfsd
grace                   1853  1 lockd
sunrpc                202183  9 nfsd,lockd
exportfs                3743  1 nfsd
tun                    21303  3
tdts_udbfw             45302  0
tdts_udb              250627  1 tdts_udbfw
tdts                  453131  2 tdts_udbfw,tdts_udb
nf_nat_sip              9604  0
nf_conntrack_sip       23967  1 nf_nat_sip
nf_nat_h323             6991  0
nf_conntrack_h323      41585  1 nf_nat_h323
nf_nat_rtsp             4258  0
nf_conntrack_rtsp       7795  1 nf_nat_rtsp
nf_nat_ftp              2099  0
nf_conntrack_ftp        7469  1 nf_nat_ftp
usblp                  14738  0
thfsplus              102981  0
tntfs                 476880  0
tfat                  277437  0
sr_mod                 14635  0
cdrom                  29513  1 sr_mod
uas                    15645  2
usb_storage            54203  1 uas
sg                     28525  0
sd_mod                 31170  3
scsi_mod              171485  5 sr_mod,uas,usb_storage,sg,sd_mod
cdc_mbim                5332  0
qmi_wwan               14289  0
huawei_cdc_ncm          2389  0
cdc_wdm                10545  3 cdc_mbim,qmi_wwan,huawei_cdc_ncm
cdc_ncm                16787  2 cdc_mbim,huawei_cdc_ncm
rndis_host              6121  0
cdc_ether               4864  1 rndis_host
ax88179_178a           16204  0
asix                   22797  0
libphy                 27681  1 asix
cdc_acm                18547  0
usbnet                 21074  8 cdc_mbim,qmi_wwan,huawei_cdc_ncm,cdc_ncm,rndis_host,cdc_ether,ax88179_178a,asix
mii                     4341  3 ax88179_178a,asix,usbnet
bcm_usb                 1957  0
ohci_platform           5283  0
ohci_hcd               31852  1 ohci_platform
ehci_platform           5831  0
ehci_hcd               40649  1 ehci_platform
xhci_plat_hcd           4670  0
xhci_hcd              103270  1 xhci_plat_hcd
usbcore               166572 20 usblp,uas,usb_storage,cdc_mbim,qmi_wwan,huawei_cdc_ncm,cdc_wdm,cdc_ncm,rndis_host,cdc_ether,ax88179_178a,asix,cdc_acm,usbnet,ohci_platform,ohci_hcd,ehci_platform,ehci_hcd,xhci_plat_hcd,xhci_hcd
usb_common              2813  1 usbcore
dhd                   567545  0
dpsta                  10220  1 dhd
igs                    18026  1 dhd
emf                    22978  2 dhd,igs
hnd                   308965  4 dhd,dpsta,igs,emf
bcm_thermal             6637  0
bcmspu                 67050  0
bcmpdc                 10200  1 bcmspu
pwrmngtd                3501  0
bcmvlan               109032  0
wfd                    19665  1 dhd
bcm_pcie_hcd           28576  0
bcmmcast               60800  3 dhd,wfd
nciTMSkmod            381669  0
pktrunner             318573  0
cmdlist                51130  1 pktrunner
bcm_enet              173603  1 tdts_udbfw
pktflow               220586  2 tdts_udbfw,pktrunner
rdpa_cmd               99400  0
chipinfo                1769  0
rdpa_mw                29136  2 bcmvlan,rdpa_cmd
rdpa_usr               30790  0
rdpa                 1682507  2 wfd,bcm_enet
rdpa_gpl_ext            1377  0
rdpa_gpl               26284  8 dhd,wfd,pktrunner,bcm_enet,rdpa_cmd,rdpa_mw,rdpa_usr,rdpa
bdmf                 1274403  9 dhd,wfd,pktrunner,bcm_enet,rdpa_cmd,rdpa_mw,rdpa_usr,rdpa,rdpa_gpl
rdp_fpm                30129  1 rdpa
wlcsm                  16949 44 dhd,hnd,bcm_pcie_hcd
Admin@RT-AX88U-76E8:/tmp/home/root#

 

[john9527]

Output of
ipset list | grep Name

 

[Adamm]

I've pushed v6.6.1

Rewrite "debug info" output
Rewrite "banmalware" output
Rewrite "stats search malware" output
Consolidate Display_Header* ()
Consolidate Extended_DNSStats* ()
Fix activity indicator trail bug when using "grep -HE"
Fix grep error if extendedstats is disabled @hw1380 
Disable wordwrap

A continuation of the theme from the last update, I've gone ahead and also updated a few other functions output to match the new format which I personally think looks much better. Wordwrap is now disabled as output looked terrible on smaller screens so if you notice text getting cut off on mobile devices or minimized windows thats why.


This should be the last update in the near future (think I've said that before ) assuming no major bugs come from the update.

 

[Twiglets]

Once again, thank you.

Looking much nicer (Very Pretty !!!) and easier to read.

 

[loveleeyoungae]

After adding 1-2 IP to Ban list, Skynet wouldn't let me add anymore and showed "Internet Connectiviy Error". Toggling Skynet didn't help either. A reboot helped for adding another 1-2 IP and the error would occur.

And now I can't perform update even though the router was rebooted 15 minutes ago and I haven't touched Skynet.

Do you know what might be the reason?

 

[Adamm]

Skynet wouldn't let me add anymore and showed "Internet Connectiviy Error".

Skynet will check your connection during certain functions to make sure you have online connectivity. If it fails 4 times within 30 seconds Skynet will exit. You must be having some issues pinging google.com and github.com

 

[Diamond67]

Sometimes my Skynet won't start normally after booting the router. I think this happens because I have Disk check script enabled in amtm and the swap file won't be ready and available for Skynet soon enough? Or what do you think?

I pasted some lines from the System log of my RT-AC68U so you can see the timeline.
Swap is located on my "DT_1" flash drive as you can see:

Nov 16 20:57:16 Skynet: [*] USB Not Found - Sleeping For 10 Seconds ( Attempt 1 Of 10 )

Nov 16 20:57:59 Skynet: [*] Skynet Requires A SWAP File - Install One By Running ( /jffs/scripts/firewall debug swap install )

Nov 16 20:58:21 amtm: Disk check done on /dev/sdc1
Nov 16 20:58:21 syslog: USB ext2 fs at /dev/sdc1 mounted on /tmp/mnt/DT_1
Nov 16 20:58:21 usb: USB ext2 fs at /dev/sdc1 mounted on /tmp/mnt/DT_1.

Nov 16 20:58:21 custom_script: Running /jffs/scripts/post-mount (args: /tmp/mnt/DT_1 ) - max timeout = 120s
Nov 16 20:58:21 rc_service: hotplug 813:notify_rc restart_nasapps
Nov 16 20:58:21 kernel: Adding 262140k swap on /tmp/mnt/DT_1/myswap.swp.  Priority:-1 extents:67 across:266504k

Can I somehow delay the starting of Skynet? Or otherwise make sure that swap is ready for Skynet?

 

[Martin_D]

login as: administrator0f5kc6a
administrator0f5kc6a@10.0.0.1's password:


ASUSWRT-Merlin RT-AX88U 384.8-beta1 Fri Nov 16 20:06:00 UTC 2018
administrator0f5kc6a@RT-AX88U-8C80:/tmp/home/root# ipset list | grep Name
Name: Skynet-Whitelist
Name: Skynet-Blacklist
Name: Skynet-BlockedRanges
Name: Skynet-Master
administrator0f5kc6a@RT-AX88U-8C80:/tmp/home/root#

 

[Adamm]

Can I somehow delay the starting of Skynet? Or otherwise make sure that swap is ready for Skynet?

I feel like this is a design flaw with the disk check script, not Skynet. If you are intentionally delaying mounting of a partition (for up to hours depending on size of the usb, I ended up removing the script due to how long it takes) you can't expect the rest of the system to just indefinetely wait.

 

[Adamm]

Admin@RT-AX88U-76E8:/tmp/home/root# modprobe xt_set
modprobe: module xt_set not found in modules.dep

I assume this is the issue? @RMerlin @john9527

 

[TonyK132]

Hi Adam - I am having troubles with Skynet now that I have 384.8beta1 on my 86U. It says it does not start after doing a reboot. But I'm getting mixed signals from the info. Can you make sense of all this?

I suspected Skynet was not starting upon a reboot, so I manually did a Restart. Here is what I got.

Router Model; RT-AC86U
Skynet Version; v6.6.1 (17/11/2018)
iptables v1.4.15 - (eth0 @ 192.168.2.1)
ipset v6.32, protocol version: 6
FW Version; 384.8_beta1 (Nov 16 2018) (4.1.27)
Install Dir; /tmp/mnt/data/skynet (25.6G / 27.5G Space Available)
SWAP File; /tmp/mnt/data/myswap.swp (512.5M)
Boot Args; /jffs/scripts/firewall start skynetloc=/tmp/mnt/data/skynet
Banned Countries; pk ir kp cn ru vn ua iq ng in br th id eg

Checking Inbound Filter Rules... [Failed]
Checking Outbound Filter Rules... [Failed]
Checking Whitelist IPSet... [Failed]
Checking BlockedRanges IPSet... [Failed]
Checking Blacklist IPSet... [Failed]
Checking Skynet IPSet... [Failed]


If I do a debug info, I get this:

Router Model; RT-AC86U
Skynet Version; v6.6.1 (17/11/2018)
iptables v1.4.15 - (eth0 @ 192.168.2.1)
ipset v6.32, protocol version: 6
FW Version; 384.8_beta1 (Nov 16 2018) (4.1.27)
Install Dir; /tmp/mnt/data/skynet (25.6G / 27.5G Space Available)
SWAP File; /tmp/mnt/data/myswap.swp (512.5M)
Boot Args; /jffs/scripts/firewall start skynetloc=/tmp/mnt/data/skynet
Banned Countries; pk ir kp cn ru vn ua iq ng in br th id eg
No Lock File Found

---------------- | ------
Test Description | Result
---------------- | ------

Internet-Connectivity | [Passed]
Write Permission | [Passed]
Firewall-Start Entry | [Passed]
Services-Stop Entry | [Passed]
CronJobs | [Failed]
IPSet Comment Support | [Passed]
Log Level 5 Settings | [Passed]
Duplicate Rules In RAW | [Passed]
Inbound Filter Rules | [Failed]
Inbound Debug Rules | [Failed]
Outbound Filter Rules | [Failed]
Outbound Debug Rules | [Failed]
Whitelist IPSet | [Failed]
BlockedRanges IPSet | [Failed]
Blacklist IPSet | [Failed]
Skynet IPSet | [Failed]


------- | ------
Setting | Status
------- | ------

Autoupdate | [Enabled]
Auto-Banmalware Update | [Enabled]
Debug Mode | [Enabled]
Filter Traffic | [Enabled]
Unban PrivateIP | [Enabled]
Log Invalid | [Disabled]
Ban AiProtect | [Disabled]
Secure Mode | [Enabled]
Fast Switch | [Disabled]

7/16 Tests Sucessful

[#] 159244 IPs (+0) -- 30103 Ranges Banned (+0) || Inbound -- Outbound Connec]


If I do a banmalware, I get this:

[*] Skynet Not Running - Exiting


Problems with running under alpha1?

 

[Adamm]

Can you make sense of all this?

Run the command;

sh /jffs/scripts/firewall restart

Then take a look at your syslog. Skynet will either start up as per usual or it will produce an exact error as to why it is exiting.

 

[TonyK132]

Run the command;

sh /jffs/scripts/firewall restart

Then take a look at your syslog. Skynet will either start up as per usual or it will produce an exact error as to why it is exiting.

I got this:


[*] sh /jffs/scripts/firewall restart Isn't An Option!

So I did a reinstall. This will be the 3rd time I've done that since installing beta1.

first I did an uninstall, reboot, then install. Then Reboot. Then
sh /jffs/scripts/firewall banmalware

Got this.

[*] Skynet Not Running - Exiting


In the logs, there were these lines:

Nov 17 11:13:45 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/data/skynet )
Nov 17 11:13:46 Skynet: [*] Skynet Requires A SWAP File - Install One By Running ( /jffs/scripts/firewall debug swap install )

When I did the install, of course I specified a Swap file (512MB), and it said it created one. I do not know if one was there before the install, I did not look.

 

[Adamm]

I got this:


[*] sh /jffs/scripts/firewall restart Isn't An Option!

So I did a reinstall. This will be the 3rd time I've done that since installing beta1.

first I did an uninstall, reboot, then install. Then Reboot. Then
sh /jffs/scripts/firewall banmalware

Got this.

[*] Skynet Not Running - Exiting


In the logs, there were these lines:

Nov 17 11:13:45 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/data/skynet )
Nov 17 11:13:46 Skynet: [*] Skynet Requires A SWAP File - Install One By Running ( /jffs/scripts/firewall debug swap install )

When I did the install, of course I specified a Swap file (512MB), and it said it created one. I do not know if one was there before the install, I did not look.

The command didn’t work because you used it inside the Skynet menu. Anyway, once you create a swap file using the command provided your issue should be resolved.

Skynet can self diagnose almost any issue with itself so just observe the output closely.